In 2019, Jack led again with true thought leadership – here’s a sampling:
Jack Jones FAIRCON19 Keynote: "Enabling Risk Management Programs that Actually Work"
In his keynote address kicking off the annual FAIR Conference, Jack greatly expanded the horizons of FAIR practitioners to show how the risk analysis model could be a change-maker throughout the organization – starting on a basic level with the clarity that FAIR terminology brings to discussions of risk, and moving up to strategic decision support.
Ultimate Buyers Guide to Understanding Cyber Risk Quantification by Jack Jones
Cyber risk quantification is generating plenty of buzz (from Gartner and other industry analysts) but in this guide Jack cuts through the marketing and lays out objective, detailed advices on acquiring a cyber risk quantification (CRQ) solution, including how to set goals, questions to ask any vendor – and red flags to watch for in their responses.
Quit Blaming Executives for Cybersecurity Problems
After a run of high-profile breaches, the infosec profession has been way too quick to blame non-technical management for failure to understand cybersecurity issues and fund cybersecurity projects, Jack wrote in this blog post. As long as the profession continues to communicate through red-yellow-green heat maps, vulnerability counts, and other strictly technical terminology, “it doesn’t seem to me that leadership can be held accountable…The onus is on our profession to take an honest look at how we understand, measure, and communicate the challenges within our problem space.”
Ask Tougher Questions of CISOs, Jack Jones Tells Board Members at NACD Event
An old joke in infosec circles: Two hikers run into a bear. The first hiker takes off his boots and puts on running shoes. The second hiker points out that no one can outrun a bear. “I don’t need to outrun the bear,” the second hiker says. “I just need to outrun you.” The lesson is that a cybersecurity program doesn’t need to be good – just better than the one next door. “The lesson is dead wrong,” Jack writes: Organizations that benchmark themselves against others learn “very little about the actual efficacy of a cybersecurity program.”
More from Jack Jones in 2019:
Infosecurity Magazine on Jack Jones’ Approach to Risk Appetite: “Draw a Line in the Sand”
How the Infosec Profession Makes Its Job Harder than It Has to Be
How Much Risk Does that Risk Represent?
Security Exception vs. Risk Acceptance. What’s the Difference?
The world is catching up to Jack: in 2019, the keepers of both the NIST CSF and COSO ERM frameworks added FAIR to their best practices and SC Media named the FAIR Institute one of the most important industry organizations of the last 30 years.